Cookiemonster attack

The CookieMonster attack is a man-in-the-middle exploit where a third party can gain HTTPS cookie data when the "Encrypted Sessions Only" property is not properly set. This could allow access to sites with sensitive personal or financial information.^[1]

It is a Python based tool, developed by security researcher Mike Perry.

Perry originally announced the vulnerability exploited by CookieMonster on BugTraq in 2007. A year later, he demonstrated CookieMonster as a proof of concept tool at Defcon 16.^[2]

Users of the World Wide Web can reduce their exposure to CookieMonster attacks by avoiding websites that are unprotected to these attacks. Certain web browsers make it possible for the user to establish which sites these are. For example, users of the Firefox browser can go to the Privacy tab in the Preferences window, and click on 'Show Cookies.' For a given site, inspecting the individual cookies for the top level name of the site, and any subdomain names, will reveal if 'Send For: Encrypted connections only,' has been set. If it has, the user can test for the site's vulnerability to CookieMonster attacks by deleting these cookies and visiting the site again. If the site still allows the user in, the site is vulnerable to CookieMonster attacks.^[3]^[4]

Affected websites

Websites allegedly affected by CookieMonster included:^[5]

Google services including: Gmail, Blogger, Google Docs, Google Finance and search history
Airline/Travel websites: Southwest, United, Expedia, USAirways.com, priceline.com
Banks: National City, USAA, Patelco, CapitalOne
Domain Registrars: Register.com, namesecure.com
Merchants: eBay, wireless.att.com, Netflix, Newegg

References

↑ Goodwin, Dan. "CookieMonster nabs user creds from secure sites • The Register". www.theregister.co.uk. https://www.theregister.co.uk/2008/09/11/cookiemonstor_rampage/. Retrieved 2009-02-18.
↑ Perry, Mike (4 August 2008). "CookieMonster: Cookie Hijacking | fscked.org". https://fscked.org/projects/cookiemonster.
↑ Claburn, Thomas (11 September 2008). "CookieMonster Can Steal HTTPS Cookies -- Security -- InformationWeek". http://www.informationweek.com/news/security/vulnerabilities/showArticle.jhtml?articleID=210601197.
↑ Goodin, Dan (11 Sep 2008). "CookieMonster nabs user creds from secure sites" (in en). https://www.theregister.co.uk/2008/09/11/cookiemonstor_rampage/.
↑ Perry, Mike (24 August 2008). "Incomplete List of Alleged Vulnerable Sites | fscked.org". https://fscked.org/blog/incomplete-list-alleged-vulnerable-sites.

External links

Perry's Defcon Presentation (YouTube)
https://fscked.org/proj/cookiemonster/ActiveHTTPSCookieStealing.pdf - Defcon Presentation slides
http://fscked.org/blog/cookiemonster-core-logic-configuration-and-readmes

0.00

(0 votes)

Original source: https://en.wikipedia.org/wiki/Cookiemonster attack. Read more

[1] Goodwin, Dan. "CookieMonster nabs user creds from secure sites • The Register". www.theregister.co.uk. https://www.theregister.co.uk/2008/09/11/cookiemonstor_rampage/. Retrieved 2009-02-18.

[2] Perry, Mike (4 August 2008). "CookieMonster: Cookie Hijacking | fscked.org". https://fscked.org/projects/cookiemonster.

[3] Claburn, Thomas (11 September 2008). "CookieMonster Can Steal HTTPS Cookies -- Security -- InformationWeek". http://www.informationweek.com/news/security/vulnerabilities/showArticle.jhtml?articleID=210601197.

[4] Goodin, Dan (11 Sep 2008). "CookieMonster nabs user creds from secure sites" (in en). https://www.theregister.co.uk/2008/09/11/cookiemonstor_rampage/.

[5] Perry, Mike (24 August 2008). "Incomplete List of Alleged Vulnerable Sites | fscked.org". https://fscked.org/blog/incomplete-list-alleged-vulnerable-sites.

[1]

[2]

[3]

[4]

[5]

Anonymous

Search

Cookiemonster attack

Namespaces

More

Page actions

Contents

Affected websites

See also

References

External links

Navigation

Navigation

Help

Translate

Wiki tools

Wiki tools

Anonymous

Search

Cookiemonster attack

Affected websites

See also

References

External links

Navigation

Wiki tools

Page tools

Other projects

Categories